A digital certificate is created transparently on a mobile device. A VPN appliance receives user credentials from an app, the credentials familiar to the user and associated with an enterprise authentication service. The credentials are validated, comprising the first user authentication in a two-factor authentication method. The user is then presented with a display in the app asking for a PIN. The appliance generates a PIN and sends it to the user via the user enterprise email. The user enters the PIN in the app display. This is the second factor in the two-factor authentication. Once the user is authenticated, the appliance sends data for generating a Certificate Signing Request (CSR) to the app. The app generates a CSR and the appliance sends the CSR to an enterprise CA. A certificate is signed and enrolled. The signed digital certificate is then sent to the wrapped app.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprising: receiving user credentials from a wrapped app running on a device, the user credentials received at a separate virtual private network (VPN) appliance part of an enterprise network; validating the user credentials against the enterprise network including an authentication service; sending Certificate Signing Request (CSR) generation data from the VPN appliance to the wrapped app running on the device, wherein the first wrapped app generates a CSR using the CSR generation data; receiving the CSR from the device at the VPN appliance, wherein the VPN appliance sends the CSR to an enterprise Certificate Authority (CA); delivering a signed certificate to the wrapped app running on the device; storing the signed certificate in a keystore in the wrapped app, said keystore only accessible by the wrapped app; and establishing a secure per-app service tunnel between the wrapped app and the VPN appliance, wherein said service tunnel is only utilized by the wrapped app.
A method for automatically enrolling a digital certificate on a mobile device involves a wrapped application and a VPN appliance. The VPN appliance, part of an enterprise network, receives user credentials from the wrapped app. It validates these credentials against an enterprise authentication service. The appliance then sends data to the wrapped app so the app can generate a Certificate Signing Request (CSR). The wrapped app generates the CSR and sends it back to the VPN appliance, which forwards it to an enterprise Certificate Authority (CA). The CA signs the certificate and delivers it to the wrapped app. The app stores the signed certificate in a secure keystore accessible only by itself. Finally, a secure, per-app service tunnel is established between the wrapped app and the VPN appliance, ensuring only the wrapped app can use it.
2. The method of claim 1 , wherein after the user credentials are validated against the authentication service, an enrollment pin is sent in an email to an enterprise email account corresponding to the user.
The automatic certificate enrollment method, after validating the user's credentials against the authentication service, sends an enrollment PIN via email to the user's enterprise email account. This PIN serves as a second factor in a two-factor authentication scheme. This adds an extra layer of security by requiring the user to access their email to retrieve and use the PIN, preventing unauthorized enrollment even if the initial user credentials are compromised. The enrollment process does not proceed until the correct PIN is received.
3. The method of claim 2 , wherein the user provides the enrollment pin to the VPN appliance.
In the automatic certificate enrollment method, after an enrollment PIN is sent to the user's enterprise email, the user must then provide this enrollment PIN to the VPN appliance. The VPN appliance then uses this PIN as a second factor of authentication. The process waits for the user to enter the PIN, effectively preventing automated enrollment and ensuring the user's active participation in the certificate generation. This process reduces the risk of unauthorized certificate creation by requiring confirmation from the user.
4. The method of claim 1 , wherein the signed certificate is maintained in data-at-rest (DAR) in the wrapped app.
In the automatic certificate enrollment method, the signed certificate is maintained in data-at-rest (DAR) within the wrapped app. This means the certificate is stored securely on the device when the app is not actively using it. The data-at-rest protection ensures that even if the device is compromised, the certificate remains encrypted and protected from unauthorized access. By storing the certificate securely, it ensures that the integrity of the secure connection with the enterprise network is maintained.
5. The method of claim 1 , wherein the keystore is not accessible to other applications or the operating system on the mobile device.
In the automatic certificate enrollment method, the keystore where the signed certificate is stored within the wrapped app is designed to be inaccessible to other applications or the device's operating system. This isolation prevents other apps or system-level processes from accessing or tampering with the stored certificate, enhancing security and preventing potential misuse. By restricting access to the keystore, the integrity and confidentiality of the certificate are protected.
6. The method of claim 1 , wherein the wrapped app is an app wrapped in a security layer.
In the automatic certificate enrollment method, the wrapped app is specifically an application that has been encapsulated in a security layer. This security layer enhances the app's protection against unauthorized access and tampering. This wrapping provides extra security controls around the app, such as encryption and integrity checks. The wrapping technology protects the app and data from malicious attacks and unauthorized access.
7. The method of claim 6 , wherein the security layer is operable to enhance or modify a request before the request is passed to the operating system or other software or hardware component on the device.
Using an app wrapped in a security layer for automatic certificate enrollment, the security layer can enhance or modify a request before it's passed to the operating system or other software/hardware components on the device. This means the security layer can inspect, validate, and potentially transform requests originating from the app to enforce security policies. For example, it might encrypt data, add authentication headers, or block unauthorized requests. This enhancement protects against vulnerabilities in the underlying operating system or hardware.
8. The method of claim 1 , wherein the secure per-app service tunnel can only be used by the wrapped app.
Within the automatic certificate enrollment method, the secure per-app service tunnel established between the wrapped app and the VPN appliance is designed for exclusive use by that specific wrapped app. Other applications on the device cannot access or utilize this tunnel, providing a dedicated and isolated communication channel. This ensures that only authorized traffic from the wrapped app can pass through the tunnel, preventing other applications from eavesdropping or interfering with the secure connection.
9. A non-transitory computer readable storage medium comprising: computer code for receiving user credentials from a wrapped app running on a device, the user credentials received at a separate virtual private network (VPN) appliance part of an enterprise network; computer code for validating the user credentials against the enterprise network including an authentication service; computer code for sending Certificate Signing Request (CSR) generation data from the VPN appliance to the wrapped app running on the device, wherein the first wrapped app generates a CSR using the CSR generation data; computer code for receiving the CSR from the device at the VPN appliance, wherein the VPN appliance sends the CSR to an enterprise Certificate Authority (CA); computer code for delivering a signed certificate to the wrapped app running on the first device; computer code for storing the signed certificate in a keystore in the wrapped app, said keystore only accessible by the wrapped app; and computer code for establishing a secure per-app service tunnel between the wrapped app and the VPN appliance, wherein said service tunnel is only utilized by the wrapped app.
A non-transitory computer readable storage medium contains computer code that implements automatic certificate enrollment on a mobile device, involving a wrapped application and a VPN appliance. The code receives user credentials from the wrapped app at the VPN appliance (part of an enterprise network) and validates them against an enterprise authentication service. It then sends CSR generation data from the appliance to the app, enabling the app to generate a CSR. The code receives the CSR back at the appliance, which forwards it to an enterprise CA. The signed certificate is delivered to the wrapped app, and the code stores it in a secure, app-specific keystore. Finally, the code establishes a secure, per-app service tunnel between the wrapped app and the VPN appliance, ensuring exclusive usage by that app.
10. The non-transitory computer readable storage medium of claim 9 , wherein after the user credentials are validated against the authentication service, and an enrollment pin is sent in an email to an enterprise email account corresponding to the user.
A non-transitory computer readable storage medium for automatic certificate enrollment, after validating the user's credentials against the authentication service using computer code, sends an enrollment PIN via email to the user's enterprise email account. This PIN serves as a second factor of authentication. This adds an extra layer of security by requiring the user to access their email to retrieve and use the PIN, preventing unauthorized enrollment even if the initial user credentials are compromised. The enrollment process does not proceed until the correct PIN is received, all handled by specifically encoded computer instructions on the storage medium.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 10, 2015
June 6, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.